OS X Server allows you to set global policies, which apply to all users including admin users. If a global policy locks out ordinary user accounts, but not admin users, then an admin user can go in and change the policy to admit other users. Problems arise if an admin user inadvertently sets a global policy which locks out all users, including admin users: they cannot then log on and change the policy.
Apple details the solution to this in a tech note. All OS X Server syadmins should keep that note, or this article, to hand in case they need it!
Open Directory lockout
If the Open Directory administrator has been locked out, use the following Terminal command to clear all Open Directory account policies:
sudo pwpolicy -n /LDAPv3/ldapi://%2Fvar%2Frun%2Fldapi clearaccountpolicies
You can then get back into Open Directory and set up your policies correctly.
Local administrator lockout
If you have locked out all users, including admin accounts, then you will need to start that Mac up in Single User mode (SUM) by holding Command-S down during startup. You will then be presented with the command prompt, at which you should type the following commands in sequence:
/sbin/mount -uw /
/bin/launchctl load /System/Library/LaunchDaemons/com.apple.opendirectoryd.plist
/usr/bin/pwpolicy -n /Local/Default clearaccountpolicies
These first check and repair the startup volume, then mount it. Next the Open Directory service is launched, and the
pwpolicy tool is used (as above) to clear all policies.
Once those are completed, restart by pressing Command-D.